Mend.io, the Israel-based supplier of a popular software that helps developers identify and remediate vulnerabilities and security issues in their code libraries, has sealed a potentially dangerous vulnerability in its application security platform that was uncovered by the research team at WithSecure.
The vulnerability, which is being publicly disclosed today after a four-month remediation process, was found in Mend.io’s security assertion markup language (SAML) login option – a type of single sign-on authentication that lets users access various online services with the same credentials.
SAML services use a specialised identity provider to authenticate users rather than storing login credentials, but in Mend.io’s platform, this process was not scoped to specific customer software-as-a-service (SaaS) environments or tenants, allowing unauthorised access to any other customer tenant.
Had it been successfully exploited by a threat actor, it could have allowed a customer acting as an attacker to use the vulnerable SAML implementation to access the data of other customers in the same environment if they could obtain, or guess, a valid email address from the organisation they were targeting.
“Basically, the single sign-on service would accept any legitimate customer’s email address without any additional authentication,” said Ari Inki, chief architect at WithSecure.
“Attackers would only need to get a Mend.io account in a specific SaaS environment, configure it to accept the single sign-on authentication method, and then use an email address for the target company’s account – steps which are all doable by today’s cyber criminals.”
WithSecure said that while the data held by Mend.io would naturally vary from customer to customer, its use as an application security platform made it more likely someone with malicious intent could have used it to plan targeted attacks against vulnerable pieces of software they could identify.
Security services
Fomerly known as WhiteSource, Mend.io bills itself as an experienced provider of security services to help organisations build world-class appsec offerings that reduce risk and accelerate development.
It got its start when its founders were trying to sell a previous company and the buyers requested a software inventory and security scan as part of their due diligence, a process that turned out to be time-consuming, costly and riddled with mistakes.
Users of its platform include Fujitsu, IBM, KPMG, Microsoft, Motorola, PwC, Siemens, Toshiba and Vodafone.
“Securing our customers’ data is vital to our organisation, and we’re happy that WithSecure was proactive in helping us identify and fix this problem,” said the firm’s executive vice-president of customer experience, Robert Nilsson.
“By working together, we were able to move quickly to ensure the issue was fixed before it was used by any threat actors to attack our customers.”
As a result of the collaborative effort between the two organisations, Mend.io has now implemented into its platform an additional layer of security to prevent cross-account or organisation collaboration. Customers who may need legitimate access to data stored in other accounts can remove this layer if they wish, but this must be done by Mend.io itself.
No further action is required on the part of any Mend.io users in response to the disclosure, however, users are being advised to review any relevant logs for possible signs of abuse, just to be on the safe side.
WithSecure and Mend.io said that to the best of their knowledge, no active exploitation of the vulnerability ever occurred.